Solutions

Essential 8 Recommendations

Application Whitelisting

What: Limits applications from loading to memory if they are not defined by hash, location, owner, publisher.

Why: to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers

User Application Hardening

What: Restrict applications to the uses they are needed. Limit the ability for them to be used maliciously.

Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems.

Multi-factor Authentication

What: Apply MFA/2FA to all systems/processes that allow it.

Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems.

Patch Operating Systems

What: Protect against known exploitations by applying security and critical updates.

Why: Security vulnerabilities in operating systems can be used to further the compromise of systems.

Configure Microsoft Office Macro Settings

What: Restrict Office Products from running Macro scripts

Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.

Restrict Administrative Privileges

What: Stop the elevated access users need to install most applications. (Note: this does not stop applications running. That don’t require installations)

Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems.

Daily Backups

What: Backup all critical data to encrypted, isolated and restricted systems both onsite and offsite daily as a minimum. (Note: We recommend backups are performed as often as possible in order to reduce your Recovery Point Objective)

Why: To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).

Additional Recommendations

Device Whitelisting

What: Limits use of pre-approved specific devices to pre-approved users/groups/networks at configured times.

Why: to prevent unknown potential malicious devices entering your network.
Assists with: DLP

Device Filtering

What: Limits data being read or written using pre-defined filetypes/filetype groups.

Why: When approved devices are connected they are filtered to only allow the following filetypes in/out.
Assists with: DLP

Device Auditing / Shadowing

What: Take logs and file copies of used files.

Why: Review and understand what files are being copied/edited to/from devices that are approved. No just logging but complete shadow copies of the file transmitted.
Assists with: DLP

Network Auditing/Filtering

Why: Control threats with behavior based patterns. Ensure networking systems are dynamic enough to prevent unusual behavior.

System Redundancy

What: Have your system designed to cater for planned or unplanned system outage.

Why: Maintain Business continuity with redundant high availability designed systems.

Disaster Recovery Plans

Why: Ensure you have a plan and process on how to recover from a Disaster.

Consider:
– Recovery Time Objectives (RTO)
– Recovery Point Ojbectives (RPO)